I have a wide scope of interests in IT, which includes hyper-v private cloud, remote desktop services, server clustering, PKI, network security, routing & switching, enterprise network management, MPLS VPN on enterprise network etc. Started this blog for my quick reference and to share technical knowledge with our team members.

Tuesday, April 5, 2011

VRF-aware Dynamic Multipoint VPN

Following on my previous post on VRF-aware Multipoint GRE, you can further protect the mGRE tunnels with IPSec easily.

On all Routers

!

crypto keyring ciscokey vrf outer

pre-shared-key address 172.16.0.0 255.255.0.0 key cisco123

!

crypto isakmp profile isaDMVPN

keyring ciscokey

match identity address 172.16.0.0 255.255.0.0 outer

!

crypto ipsec transform-set tfDMVPN esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile proDMVPN

set security-association lifetime seconds 900

set transform-set tfDMVPN set isakmp-profile isaDMVPN

!

interface Tunnel1

ip vrf forwarding inner

tunnel protection ipsec profile proDMVPN #apply protection on tunnel

To verify, perform the following commands and check the status in bold:

Router1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

172.16.1.1 172.16.1.2 QM_IDLE 1001 0 ACTIVE

......

Router1#sh crypto session

Crypto session current status

Interface: Tunnel1

Profile: isaDMVPN

Session status: UP-ACTIVE

......

If you couldn't obtain the above results, perform further troubleshooting using "debug crypto isakmp" and "debug crypto ipsec". Most of the time, the issues are related to isakmp issues and authentication key. Check that all the parameters (esp pre-shared key) can match.